Custom state values are sent to the browser, so yes it can be viewed by that individual if they really want to see it. It’s buried in the app code, but it’s in there. So if the value is not safe to share with literally anybody (including the legit user,) then you have some risk here.